The Era of Cyber WareFare

April 01, 2012

What is cyber warfare and should South Africa be worried?

Kaspersky Lab's Cyber Security Conference 2012: IT Security in the Age of Cyber Warfare, held in Mexico, was brought about as a result of "the new paradigm of evolving cyber threats, the measures required to control cyber weapons, and the future of the IT security industry as a whole".

According to Sergey Novikov, head of Kaspersky Lab Global Research and Analysis Team: "The recent spate of targeted attacks on major corporations and state organisations all over the world, the use of malicious programs as weapons for waging cyber war and conducting espionage, and the cutting-edge technology of state-backed malware (Stuxnet, Duqu, etc), all herald the beginning of the new cyber era - the era of cyber warfare."

He explains that, as Kaspersky Lab predicted in 2010, the cyber scene is undergoing a reshuffle of forces, which is seeing a sharp rise in the power of relatively new but already influential players besides anti-virus vendors, software developers, and cyber criminals: cyber superpowers.

"These cyber superpowers have begun to shift their focus from consumers to corporations, particularly with the increase in the uptake of virtualised environments. In fact, since January last year, there has been a real focus on corporations with valuable data that can be monetised over - thus cyber gangs are targeting not only consumers, but also businesses and remains a very harsh reality globally and one that needs to be addressed." Not surprisingly, however, and as was revealed at the conference, there are different definitions and opinions as to what the term "cyber warfare" entails.

Phillip Gerber, MD of Magix Security, explains: "The term is being constantly repositioned and has become obtuse. Many are using it as a marketing tool. Last year industrial espionage was elevated to a country on country level, but this does not necessarily mean it equates to 'war'." Marthinus Engelbrecht from NewOrder Industries agrees with this: "Cyber warfare cannot be defined in isolation from warfare as a whole. The definition of cyber war has not yet been fully discussed and is not properly understood. The term is used very loosely in the media, often misleadingly so. Even a small number of individuals have the ability to cause serious damage, which makes it very difficult to determine whether it is an act of war, or an act of terrorism, or simply hactivism."

Says Jan van der Merwe, MD of Secure Conekt: "If communications are disrupted on a battlefield by some form of 'hack', for example, this is clearly in the context of war. When lots of attacks are targeted at a particular oil company, is that an act of war? It could be, but it could also be in protest of some or other environmental concern. "An 'act of war' is defined by military/government 'rules'," Van der Merwe continues. "The same context should be applied when considering a cyber attack, as they have their own rules. Not all attacks are acts of war."

Jeremy Matthews, country manager at Panda Security, adds: "There are currently two types of cyber warfare: cyber sabotage and cyber espionage. The best known in the cyber sabotage area is the Stuxnet case, a complex worm developed by Israel to sabotage the Iranian nuclear programme. The cases of cyber espionage, however, are more substantial, one of the latest examples would be an attack on the Japanese parliament perpetrated by Chinese hackers." When it comes to what types of threats and risks companies should currently be looking out for, however, there are more cut and dry explanations, despite the global confusion over the term 'cyber warfare'.

According to Novikov, the discovery of the first state-sponsored malware programs - Stuxnet (2010) and Duqu (2011) - have demonstrated the new capabilities that can be applied in conducting cyber espionage, cyber sabotage, and potentially even cyber warfare via the Internet. "In 2012, the hi-tech malicious programs such as Stuxnet and Duqu created with state support will remain unique phenomena," he says. "However, other cyber weapons used to destroy data at a given time are likely to be more widely used. Programs such as kill switches, logic bombs, etc, can be developed on a regular basis and deployed systematically."

Engelbrecht maintains that data leakage in companies is growing. "The matter is highly publicised and there have been many companies publicly announcing breaches." He also cautions companies to look out for advanced persistent threats, such as malware and botnets. "These have the ability to turn a non-military asset into a formidable opponent." Graeme O'Driscoll, innovation and technology manager of cloud at Internet Solutions, believes that internal security is notoriously considered last in corporate companies in South Africa.

According to Andrew Smith, sales engineer at Kaseya: "Historically speaking, organisations were safe from external hacks and attacks if a sound perimeter defence around the network was in place a good firewall would suffice. The introduction of mobile devices, however, has changed the security landscape dramatically. Additionally, the sophistication of attacks has increased to the degree that cyber criminals target business with intent and strategy."

He also says the exploitation of truly mobile devices is still on the rise perhaps not at the same exponential level as Windows-based machines but an area of concern for all businesses. "Mobile devices also contain an enormous amount of information, so often hacking corporate networks through mobile devices is not necessary - access to the device is often enough," he says.

SHOULD SA BE WORRIED?

According to Van der Merwe, crime and hactivism are real threats and should not be viewed any differently than crime versus war is in the "real world". "It is the source and their objectives that differentiate the two from each other," he explains. "The worry is the same as for any other war. Security should be a concern, period. Data leakage, fraud, identity theft, productivity loss there are a multitude of reasons why we need to ensure that we secure our businesses."

Ligia de Gouveia, AxizWorkgroup product manager, says anyone running a business online should be worried, especially those that run online credit card facilities. "Online credit card fraud occurs too easily without the right security in place. Identity theft is another major security threat." Matthews explains that SA is part of the globalised world connected to the Internet, and unlike countries and continents, there are no borders on the Internet. "As seen in companies all around the world, those with connection to any government organisation have been compromised."

Gerber says research firms and governments may prove to be especially easy targets. "This doesn't mean that we are necessarily under threat or anyone is waiting to attack us, but governments and research organisations tend to be quite advanced and contain very critical information, yet have low budgets for things like security, and they don't often know the value or importance of what they are and/or should be protecting."O'Driscoll agrees that South African companies should be vigilant, but believes they need not panic about these issues. "Normally cyber terrorists or gangs will target companies either to gain access to classified documents for either themselves or paying third parties, or to some way enrich themselves or others; South Africa is slightly protected due to our geographic isolation and our financial and economic isolation. But these Chinese walls are quickly falling away," he warns.

WHAT IS SA DOING?

On a more positive note, there do seem to be a number of initiatives that SA is working on nationally. De Gouveia says South Africa has approved a policy that will address security threats related to cyber space, combat cyber warfare and cyber crime. "The ministry of state security has announced that the cabinet has approved the National Cyber Security Policy Framework, which emphasises the need to develop, review and update existing laws as well as build trust in the secure use of information and communication technologies."

In SA, there are initiatives being taken to educate and bring awareness about cyber threats and how to defend and prevent it, Matthews explains, such as Cyber Defence and Network Security Africa, to be held in Johannesburg in July 2012. According to O'Driscoll: "There are several initiatives around this. All South African banks work together on phishing and spear phishing sites. Most ISPs in South Africa also have security incident departments that work together on major security incidents, but the onus is always on the corporate itself. Security departments need to take the threats seriously."

WHAT CAN COMPANIES DO?

Vladimir Udalov, senior product manager of Emerging Markets at Kaspersky Lab, suggests: "Businesses are advised to invest in anti-malware solutions that are breaking new ground with new technologies and features, particularly with virtualisation becoming key for many businesses, and subsequently a focus - the issues of security in light of virtualisation needs to become a strong consideration for business decision-makers."

According to Lizelle McDermott, IP EXPO manager, as more businesses of all sizes turn to cloud computing and virtualisation to drive business agility, enhance workforce productivity and enable mobility, the issue of the security of mission-critical and sensitive data and information becomes central to the cloud computing value proposition.

"And whether businesses choose to host their data and services in a public cloud or manage and maintain them on private cloud infrastructure, their greatest challenge will be ensuring that adequate security technology is in place to protect the corporate network from the growing number of threats out there."

Engelbrecht advises that companies should have proper information security governance. "Sound policy is required in order to ensure that you set high standards." He also says regular risk assessment and situational awareness can keep risk to a minimum.

According to Matthews, to avoid security holes it is mandatory to have a patch policy that ensures all software installed in the company is updated and no known security holes are left open. "The only thing that can be done to avoid the social engineering attacks is to educate individuals around the topic and ways to defend and protect. However, if your company is a target, it is important to not only take prevention measures, but also be able to spot a breach as soon as possible," he says.

Gerber believes the most important thing is vigilance. "Never underestimate the value or the vulnerability of your data. By that, I am talking about the insider threat especially it is easier to bribe someone or trick them than to hack into a system. You just can't trust people to do the right thing - not when it comes to your company's data."